From: Donald Hunter <donald.hunter@gmail.com>
To: Antonio Quartulli <antonio@openvpn.net>
Cc: netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com,
ryazanov.s.a@gmail.com, edumazet@google.com, andrew@lunn.ch,
sd@queasysnail.net
Subject: Re: [PATCH net-next v7 04/25] ovpn: add basic netlink support
Date: Tue, 17 Sep 2024 14:23:59 +0100 [thread overview]
Message-ID: <m2wmjabehc.fsf@gmail.com> (raw)
In-Reply-To: <20240917010734.1905-5-antonio@openvpn.net> (Antonio Quartulli's message of "Tue, 17 Sep 2024 03:07:13 +0200")
Antonio Quartulli <antonio@openvpn.net> writes:
> This commit introduces basic netlink support with family
> registration/unregistration functionalities and stub pre/post-doit.
>
> More importantly it introduces the YAML uAPI description along
Hi Antonio,
net-next is currently closed so my guess is that you'll have to resend
this when net-next reopens at the end of the month:
https://netdev.bots.linux.dev/net-next.html
I have read through the YAML spec and I have few comments (and nits)
below.
Thanks,
Donald.
> diff --git a/Documentation/netlink/specs/ovpn.yaml b/Documentation/netlink/specs/ovpn.yaml
> new file mode 100644
> index 000000000000..456ac3747d27
> --- /dev/null
> +++ b/Documentation/netlink/specs/ovpn.yaml
> @@ -0,0 +1,328 @@
> +# SPDX-License-Identifier: ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause)
> +#
> +# Author: Antonio Quartulli <antonio@openvpn.net>
> +#
> +# Copyright (c) 2024, OpenVPN Inc.
> +#
> +
> +name: ovpn
> +
> +protocol: genetlink
> +
> +doc: Netlink protocol to control OpenVPN network devices
> +
> +definitions:
> + -
> + type: const
> + name: nonce-tail-size
> + value: 8
> + -
> + type: enum
> + name: cipher-alg
> + value-start: 0
> + entries: [ none, aes-gcm, chacha20_poly1305 ]
Nit: Is there any reason for the underscore in chacha20_poly1305 and the
mixed use of dash / underscore in various identifiers throughout the
spec? The YNL convention is to use dashes throughout.
> + -
> + type: enum
> + name: del-peer_reason
> + value-start: 0
> + entries: [ teardown, userspace, expired, transport-error, transport_disconnect ]
> + -
> + type: enum
> + name: key-slot
> + value-start: 0
> + entries: [ primary, secondary ]
> + -
> + type: enum
> + name: mode
> + value-start: 0
> + entries: [ p2p, mp ]
> +
> +attribute-sets:
> + -
> + name: peer
> + attributes:
> + -
> + name: id
> + type: u32
> + doc: |
> + The unique Id of the peer. To be used to identify peers during
> + operations
> + checks:
> + max: 0xFFFFFF
> + -
> + name: sockaddr-remote
> + type: binary
> + doc: |
> + The sockaddr_in/in6 object identifying the remote address/port of the
> + peer
The use of structs as attribute values is strongly discouraged. There
should be separate attributes for port and ipv[46]-address.
https://docs.kernel.org/userspace-api/netlink/intro.html#fixed-metadata-and-structures
> + -
> + name: socket
> + type: u32
> + doc: The socket to be used to communicate with the peer
> + -
> + name: vpn-ipv4
> + type: u32
> + doc: The IPv4 assigned to the peer by the server
nit: IPv4 address
> + display-hint: ipv4
> + -
> + name: vpn-ipv6
> + type: binary
> + doc: The IPv6 assigned to the peer by the server
nit: IPv6 address
> + display-hint: ipv6
> + checks:
> + exact-len: 16
> + -
> + name: local-ip
> + type: binary
> + doc: The local IP to be used to send packets to the peer (UDP only)
> + checks:
> + max-len: 16
It might be better to have separate attrs fopr local-ipv4 and
local-ipv6, to be consistent with vpn-ipv4 / vpn-ipv6
> + -
> + name: local-port
> + type: u32
> + doc: The local port to be used to send packets to the peer (UDP only)
> + checks:
> + min: 1
> + max: u16-max
> + -
> + name: keepalive-interval
> + type: u32
> + doc: |
> + The number of seconds after which a keep alive message is sent to the
> + peer
> + -
> + name: keepalive-timeout
> + type: u32
> + doc: |
> + The number of seconds from the last activity after which the peer is
> + assumed dead
> + -
> + name: del-reason
> + type: u32
> + doc: The reason why a peer was deleted
> + enum: del-peer_reason
> + -
> + name: keyconf
> + type: nest
> + doc: Peer specific cipher configuration
> + nested-attributes: keyconf
Perhaps keyconf should just be used as a top-level attribute-set. The
only attr you'd need to duplicate would be peer-id? There are separate
ops for setting peers and for key configuration, right?
> + -
> + name: vpn-rx_bytes
> + type: uint
> + doc: Number of bytes received over the tunnel
> + -
> + name: vpn-tx_bytes
> + type: uint
> + doc: Number of bytes transmitted over the tunnel
> + -
> + name: vpn-rx_packets
> + type: uint
> + doc: Number of packets received over the tunnel
> + -
> + name: vpn-tx_packets
> + type: uint
> + doc: Number of packets transmitted over the tunnel
> + -
> + name: link-rx_bytes
> + type: uint
> + doc: Number of bytes received at the transport level
> + -
> + name: link-tx_bytes
> + type: uint
> + doc: Number of bytes transmitted at the transport level
> + -
> + name: link-rx_packets
> + type: u32
> + doc: Number of packets received at the transport level
> + -
> + name: link-tx_packets
> + type: u32
> + doc: Number of packets transmitted at the transport level
> + -
> + name: keyconf
> + attributes:
> + -
> + name: slot
> + type: u32
> + doc: The slot where the key should be stored
> + enum: key-slot
> + -
> + name: key-id
> + doc: |
> + The unique ID for the key. Used to fetch the correct key upon
> + decryption
> + type: u32
> + checks:
> + max: 7
> + -
> + name: cipher-alg
> + type: u32
> + doc: The cipher to be used when communicating with the peer
> + enum: cipher-alg
> + -
> + name: encrypt-dir
> + type: nest
> + doc: Key material for encrypt direction
> + nested-attributes: keydir
> + -
> + name: decrypt-dir
> + type: nest
> + doc: Key material for decrypt direction
> + nested-attributes: keydir
> + -
> + name: keydir
> + attributes:
> + -
> + name: cipher-key
> + type: binary
> + doc: The actual key to be used by the cipher
> + checks:
> + max-len: 256
> + -
> + name: nonce-tail
> + type: binary
> + doc: |
> + Random nonce to be concatenated to the packet ID, in order to
> + obtain the actua cipher IV
> + checks:
> + exact-len: nonce-tail-size
> + -
> + name: ovpn
> + attributes:
> + -
> + name: ifindex
> + type: u32
> + doc: Index of the ovpn interface to operate on
> + -
> + name: ifname
> + type: string
> + doc: Name of the ovpn interface that is being created
> + -
> + name: mode
> + type: u32
> + enum: mode
> + doc: |
> + Oper mode instructing an interface to act as Point2Point or
> + MultiPoint
> + -
> + name: peer
> + type: nest
> + doc: |
> + The peer object containing the attributed of interest for the specific
> + operation
> + nested-attributes: peer
> +
> +operations:
> + list:
> + -
> + name: new-iface
This might be better called 'dev' or 'link' to be consistent with the
existing netlink UAPIs.
> + attribute-set: ovpn
> + flags: [ admin-perm ]
> + doc: Create a new interface
> + do:
> + request:
> + attributes:
> + - ifname
> + - mode
> + reply:
> + attributes:
> + - ifname
> + - ifindex
> + -
> + name: del-iface
> + attribute-set: ovpn
> + flags: [ admin-perm ]
> + doc: Delete existing interface
> + do:
> + pre: ovpn-nl-pre-doit
> + post: ovpn-nl-post-doit
> + request:
> + attributes:
> + - ifindex
> + -
> + name: set-peer
> + attribute-set: ovpn
> + flags: [ admin-perm ]
> + doc: Add or modify a remote peer
> + do:
> + pre: ovpn-nl-pre-doit
> + post: ovpn-nl-post-doit
> + request:
> + attributes:
> + - ifindex
> + - peer
> + -
> + name: get-peer
> + attribute-set: ovpn
> + flags: [ admin-perm ]
> + doc: Retrieve data about existing remote peers (or a specific one)
> + do:
> + pre: ovpn-nl-pre-doit
> + post: ovpn-nl-post-doit
> + request:
> + attributes:
> + - ifindex
> + - peer
> + reply:
> + attributes:
> + - peer
> + dump:
> + request:
> + attributes:
> + - ifindex
> + reply:
> + attributes:
> + - peer
> + -
> + name: del-peer
> + attribute-set: ovpn
> + flags: [ admin-perm ]
> + doc: Delete existing remote peer
> + do:
> + pre: ovpn-nl-pre-doit
> + post: ovpn-nl-post-doit
> + request:
> + attributes:
> + - ifindex
> + - peer
I think you need to add an op for 'del-peer-notify' to specify the
notification, not reuse the 'del-peer' command.
> + -
> + name: set-key
> + attribute-set: ovpn
> + flags: [ admin-perm ]
> + doc: Add or modify a cipher key for a specific peer
> + do:
> + pre: ovpn-nl-pre-doit
> + post: ovpn-nl-post-doit
> + request:
> + attributes:
> + - ifindex
> + - peer
> + -
> + name: swap-keys
> + attribute-set: ovpn
> + flags: [ admin-perm ]
> + doc: Swap primary and secondary session keys for a specific peer
> + do:
> + pre: ovpn-nl-pre-doit
> + post: ovpn-nl-post-doit
> + request:
> + attributes:
> + - ifindex
> + - peer
Same for swap-keys notifications.
> + -
> + name: del-key
> + attribute-set: ovpn
> + flags: [ admin-perm ]
> + doc: Delete cipher key for a specific peer
> + do:
> + pre: ovpn-nl-pre-doit
> + post: ovpn-nl-post-doit
> + request:
> + attributes:
> + - ifindex
> + - peer
> +
> +mcast-groups:
> + list:
> + -
> + name: peers
next prev parent reply other threads:[~2024-09-17 13:24 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-17 1:07 [PATCH net-next v7 00/25] Introducing OpenVPN Data Channel Offload Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 01/25] netlink: add NLA_POLICY_MAX_LEN macro Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 02/25] rtnetlink: don't crash on unregister if no dellink exists Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 03/25] net: introduce OpenVPN Data Channel Offload (ovpn) Antonio Quartulli
2024-09-19 5:52 ` Kuniyuki Iwashima
2024-09-19 11:57 ` Antonio Quartulli
2024-09-20 9:32 ` Kuniyuki Iwashima
2024-09-20 9:46 ` Antonio Quartulli
2024-09-22 20:51 ` Sergey Ryazanov
2024-09-23 12:51 ` Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 04/25] ovpn: add basic netlink support Antonio Quartulli
2024-09-17 13:23 ` Donald Hunter [this message]
2024-09-17 21:28 ` Antonio Quartulli
2024-09-18 10:07 ` Donald Hunter
2024-09-18 11:16 ` Antonio Quartulli
2024-09-22 22:24 ` Sergey Ryazanov
2024-09-25 11:36 ` Antonio Quartulli
2024-09-26 15:06 ` Donald Hunter
2024-09-27 7:52 ` Antonio Quartulli
2024-09-22 23:20 ` Sergey Ryazanov
2024-09-23 12:59 ` Antonio Quartulli
2024-09-24 22:10 ` Sergey Ryazanov
2024-09-25 0:01 ` Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 05/25] ovpn: add basic interface creation/destruction/management routines Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 06/25] ovpn: implement interface creation/destruction via netlink Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 07/25] ovpn: keep carrier always on Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 08/25] ovpn: introduce the ovpn_peer object Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 09/25] ovpn: introduce the ovpn_socket object Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 10/25] ovpn: implement basic TX path (UDP) Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 11/25] ovpn: implement basic RX " Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 12/25] ovpn: implement packet processing Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 13/25] ovpn: store tunnel and transport statistics Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 14/25] ovpn: implement TCP transport Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 15/25] ovpn: implement multi-peer support Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 16/25] ovpn: implement peer lookup logic Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 17/25] ovpn: implement keepalive mechanism Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 18/25] ovpn: add support for updating local UDP endpoint Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 19/25] ovpn: add support for peer floating Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 20/25] ovpn: implement peer add/dump/delete via netlink Antonio Quartulli
2024-09-23 14:36 ` Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 21/25] ovpn: implement key add/del/swap " Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 22/25] ovpn: kill key and notify userspace in case of IV exhaustion Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 23/25] ovpn: notify userspace when a peer is deleted Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 24/25] ovpn: add basic ethtool support Antonio Quartulli
2024-09-17 1:07 ` [PATCH net-next v7 25/25] testing/selftest: add test tool and scripts for ovpn module Antonio Quartulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2wmjabehc.fsf@gmail.com \
--to=donald.hunter@gmail.com \
--cc=andrew@lunn.ch \
--cc=antonio@openvpn.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ryazanov.s.a@gmail.com \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.